Review: OpenBSD 3.5

The OpenBSD Project released OpenBSD 3.5 exactly on schedule on May 1, adding support for new functions and devices in the kernel and updating the base system. While it may not be the most versatile operating system in the world, OpenBSD shines when it comes to security, providing a default installation that doesn't have to be locked down and partially disabled before using it.

It takes some effort to make OpenBSD into a reasonable desktop platform. OpenBSD's design is better suited for use as a server. The Ports tree doesn't have a very wide selection of desktop-oriented programs -- certainly not to the extent of FreeBSD's 10,000-strong Ports tree -- but it does include the basics for desktop functionality. The trouble with including piles and piles of ported applications is that their security cannot be guaranteed, and OpenBSD is all about security.

The quickest way to get OpenBSD 3.5 is through an FTP install. You download a small CD ISO or floppy image, boot from it, then download the installation sets from the OpenBSD FTP servers. I had some problems with this method, especially in the area of network configuration.

The OpenBSD 3.5 CD set is not expensive at $40 (or 45 euros), and if you're seriously considering OpenBSD, it's worth buying the CDs for their superior functionality and convenience.

OpenBSD's installation script is spartan, and therefore intimidating, and leaves you to fend for yourself at a blank terminal screen at the end. The partitioning utility's help function lists too many commands to display on one screen. If you don't know the shift-pgup trick to scroll up in a terminal, you'll have a hard time figuring out how to add a new partition. Fortunately the CD set comes with a walk-through of the entire installation procedure, so even if you get stuck there or at another part of the process, you can work through it.

The afterboot man page gives OpenBSD newcomers a crash course on everything from setting up NFS and Apache to performing your own security audit. It's wide-ranging yet concise; you can easily read it in one sitting. A message appears after your first login, suggesting that new users peruse the afterboot man page, and every OpenBSD installation comes with an introductory email from project leader Theo de Raadt, listing many of the binary packages available for OpenBSD and how to install them, and where to get help if you need it.

Included with the standard installation are OpenSSH 3.8.1 (OpenSSH is part of the OpenBSD project) and OpenSSL 0.9.7c; GCC 2.95.3 and 3.3.2 with the ProPolice add-on installed and enabled by default; Perl 5.8.2; Apache 1.3.29 with default chrooting, privilege revocation, mod_ssl 2.8.16 and DSO support; Sendmail 8.12.11; BIND 9.2.3; Heimdal 0.6rc1; and a customized fork of XFree86 4.4.0 without the new, more restrictive licensing. Other packages like Lynx and Sudo are also included, and many of the above-listed programs include specialized patches from the OpenBSD team to enhance security and functionality.

The best parts of OpenBSD are seen only from the command line interface; all of your configuration and system setup will be done from a shell prompt. The manual pages make it easy to learn to do whatever you want to; if you're afraid of the CLI, OpenBSD will either convert you or condemn you. If you're somewhat familiar with the CLI, OpenBSD will bring you to a whole new level, teaching you how to enable and configure services that you might not have used before.

I tested version 3.5 on several machines: an Intel-based system with a D875PBZLK motherboard and a Prescott Pentium 4 processor; an Athlon 64 system using an Asus K8V Deluxe motherboard (in 32-bit mode); a VIA Epia ME6000 system; and a Dell Inspiron 3800 laptop computer. OpenBSD installed perfectly on all of them, correctly setting up the networking hardware and allowing them all to communicate via OpenSSH. This is the first OS I have tested that has been able to do this on these machines without any problems. So much for the myth that the BSDs are behind in hardware support.

Security and cryptography

OpenBSD is secure by default; that means that it does not start any services or daemons without your telling it to. It installs nothing secretly and does not leave any opening for a local or remote attack. The downside to this cautious approach is that you must configure and enable all of the features and services that you need. This is an ideal learning opportunity for beginners who are learning how to configure a server, and a more secure approach than that of most operating systems, which enable a lot of services and servers by default and then expect administrators to disable what isn't needed. While hotshot sysadmins might prefer the latter method to get a server set up more quickly, less experienced people will derive much more benefit from the result of the secure by default philosophy. This is not to imply that OpenBSD is meant only for beginners, but it is designed so that you don't need to be a security expert to properly administer your system.

Another interesting security feature is the inability to load or unload kernel modules when in a securelevel greater than 0. This means that when you're running in multi-user mode, no one can tamper with kernel modules. This prevents malicious modules from being loaded, a feature that few other operating systems offer by default.

Since OpenBSD is distributed from Canada, it can include integrated cryptography. U.S. law prohibits exporting most cryptographic binaries without the permission of the federal government. You can't even help contribute to cryptographic development in other countries if you're a U.S. citizen. OpenBSD includes enough cryptographic software to warrant a separate review on the subject, and the project's Web site provides still more information about cryptography in OpenBSD.

Installing software: Ports and packages

For security reasons, OpenBSD 3.5 does not install the source tree or the Ports tree by default. You can download the tar.gz archives from the OpenBSD FTP site or find the same tarballs on disc 3 of the CD set.

Once the Ports tree is unpacked to the /usr/ports directory, you can install more than 2,500 programs from source by navigating to the program's directory within the Ports tree and typing make install. Alternatively you can download a precompiled package from the OpenBSD FTP site, then install it with the pkg_add command. This is a bit of a departure from the FreeBSD package system, which offers name resolution for the retrieval of packages. For instance, in FreeBSD you can type pkg_add -r kde and the KDE packages will be downloaded and installed along with all dependencies. OpenBSD requires the full path for the package on the FTP site, or you can install a package that has already been downloaded.

Security: A process, not a problem

If all you're running is a desktop machine or workstation, your only security precautions probably include enabling a firewall and disabling or uninstalling unused server software. But there's much more to security than an end-user can immediately see. In setting up an operating system for a server -- especially a production server -- the sysadmin should condut a full audit of the system before it is brought online. This includes examining every piece of software on the system to ensure that it is configured properly and up to date with all security patches; testing the services, disabling any that are unnecessary; hardening the kernel; monitoring file permissions and logs, looking for suspicious activity; and finding and installing all security updates for both the OS and the installed software. In other words, security on a production machine is not a problem to be solved and then forgotten about; it is a continual process which requires attention and vigilance.

Where OpenBSD truly shines is in anticipating these kinds of tasks and helping you accomplish them more quickly and with less effort. On a GNU/Linux or proprietary Unix system you can create scripts and cron jobs to automate much of your security audit, but that takes a lot of knowledge and experience to do. OpenBSD takes the hassle out of an administrative security audit by checking the logs and file permissions and emailing the root account every day with a security report. It also disables all daemons by default and adds special security-enhancing modifications for Apache, OpenSSL, and other outward-facing programs.

In addition to the secure default state, the other facet of OpenBSD's top-quality security is behind the scenes. The code itself undergoes an ongoing and extensive security review by the OpenBSD security team to ensure that there are no known or potential vulnerabilities waiting to be exploited. Often times a potential problem is fixed in the OpenBSD code long before it is discovered, exploited, and patched in other operating systems.

In the end, OpenBSD offers little that any modern Unix operating system plus a good sysadmin doesn't, but it's a matter of convenience and preference. The process of maintaining a secure system is still up to the administrator, no matter what operating system you use.

There are three versions of OpenBSD's Ports and source trees, and both trees must "match" each other's versions. The most common version is of course the RELEASE branch, which is the software as it was on the release date. One up from that is the PATCH branch, which is RELEASE with all of the security updates installed. Above that is CURRENT, which is the cutting edge of OpenBSD development. Obviously you don't want to run experimental code on a production machine, so CURRENT is only really useful to people interested in contributing to the project.

If you installed the RELEASE branch -- which is what is on the CDs -- you'll need to check the above-mentioned list of security updates to make sure there are no patches to install. If there aren't, and you have installed all of the software you will be using, there is no reason to upgrade to the PATCH release. If only one or two patches apply to you, it would be easier to install them individually rather than upgrade to the PATCH branch. But if you do choose to do an upgrade, all you have to do is get the source and Ports tarballs for PATCH from the FTP site, then rebuild the kernel and all of the binaries. It sounds complicated, but it really isn't; the entire process is well-documented.

Going to CURRENT from STABLE is more difficult -- you have to first upgrade to a CURRENT snapshot, then use anonCVS to update the source, then recompile everything. I didn't try this because I'm not interested in running CURRENT, nor is this something most people would ever need or want to do.

New in 3.5

OpenBSD versions are released every six months, and older versions of the software are not supported. If you want to stay current and secure, you must upgrade. There were dozens of significant improvements introduced in 3.5 -- too many to list here, but you can check out a breakdown of the major improvements or the complete changelog. Here are some of the more interesting points of the new release:

Support for the AMD64 and EM64T architectures, including the NX bit in the new AMD64 processors

CARP (Common Address Redundancy Protocol), which allows multiple hosts on the same local network to share a set of IP addresses among them

Performance improvements galore, including major improvements in pthreads

OpenSSL speed improvements on i386, and support for VIA's integrated AES encryption hardware

Network boot support for i386 and AMD64 using pxeboot

Conclusions

I really enjoyed using OpenBSD 3.5 for the review, and I'm going to continue to play with it. I plan on setting up an IMAP server with spamd so that I can keep all of my email in one place. I'm also going to put my home directory on NFS using OpenBSD as the server. I wouldn't have felt compelled to do any of this with GNU/Linux or FreeBSD -- there's just something about OpenBSD that is conducive to learning more about these kinds of things.

OpenBSD 3.5 is an impressive operating system; it has features and hardware support that proprietary Unixes only dream of having. You won't find hardware accelerated 3D video drivers for OpenBSD, so if you can live with that and don't need a lot of exotic programs, OpenBSD 3.5 can be a desktop platform. But that almost seems a waste, as its abilities as a server far overshadow OpenBSD's other capabilities.

In future releases it would be nice to see symmetric multiprocessing (SMP) support; from the mailing lists it seems that this is already being tested. I can't think of too many other ways that OpenBSD could improve, aside from continuing to add support for new hardware and other technologies, and even then it's already ahead of the game.

You don't have to be a skilled sysadmin to use OpenBSD 3.5. If you're just starting to experiment with setting up a server in your home or office, OpenBSD is an excellent way to safely learn how to set up services, perform security audits, and manage small servers the right way. That doesn't mean, however, that OpenBSD is just for beginners.

As a server operating system, OpenBSD is more or less a complete solution -- you won't have to add many applications, if any at all. If you're planning to set up a home server, or if you're a sysadmin looking for a no-hassle server OS for a production environment, OpenBSD 3.5 should be at the top of your list.